UrlScan Security Tool Frequently Asked Questions

UrlScan is a security tool that screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator. Filtering requests helps secure the server by ensuring that only valid requests are processed. UrlScan helps protect Web servers because most malicious attacks share a common ? characteristic they involve the use of a request that is unusual in some way. For instance, the request might be extremely long, request an unusual action, be encoded using an alternate character set, or include character sequences that are rarely seen in legitimate requests. By filtering unusual requests, UrlScan helps prevent such requests from reaching the server and potentially causing damage.

Chunked-transfer encoding is an HTTP/1.1 feature that transmits the message body in a request or response as chunks that are stamped with their size. HTTP 1.1 allows clients to send POST requests by using chunked-transfer encoding. In most cases, IIS will automatically decode these requests before they are processed. If the size of the request exceeds a particular threshold (by default, 48 KB), then the ISAPI or CGI code to which the request is directed needs to be aware of chunked-transfer encoding to process the request correctly. If you have code running on a server that is receiving POST requests and you are not sure whether it supports chunked-transfer encoding, then consider using UrlScan to prohibit requests that include a "Transfer-Encoding" header. For more information about chunked-transfer encoding, see section 3.6.1 of
RFC 2616, "Hypertext Transfer Protocol ? HTTP/1.1."

Review the agreement in the UrlScan Installer Package End User Agreement and then click Yes to accept the agreement and continue. If you click No, the installer will close.

When the installer completes, the following message is displayed: "UrlScan has been successfully installed." Click OK to close the installer.

To Uninstall UrlScan

In Control Panel, double-click Add or Remove Programs.

Select UrlScan 2.5 and then click the Change/Remove button.

When UrlScan 2.5 has been removed from your server, the following message is displayed: "UrlScan has been successfully uninstalled." Click OK to complete the uninstall process.

Understanding the UrlScan 2.5 Installer

When installing UrlScan 2.5, the UrlScan 2.5 installer does the following:

Installs the UrlScan.dll and UrlScan.ini files in the %windir%\system32\inetsrv\urlscan directory. If UrlScan is already installed on the computer, the UrlScan.ini file is updated with any new settings that are not present in the current configuration file.

Adds UrlScan as a global filter to IIS.

When installing UrlScan on a server running IIS 6.0, the UrlScan 2.5 installer makes some additional changes that enable UrlScan 2.5 to work with the new IIS 6.0 process model. These changes are as follows:

PerProcessLogging is set to 1 in the UrlScan.ini file. This ensures that two UrlScan processes do not write to the log file at the same time.

UrlScan is marked as cache-aware in the metabase. This ensures that two or more worker processes that are running UrlScan do not write to the log file at the same time.

A new log directory, which is a subdirectory located under the ..\inetsrv\urlscan directory, is created. This ensures that the UrlScan directory does not get cluttered with all of the log files that the PerProcessLogging option will create.

When installing UrlScan 2.5 on IIS, the installer sets permissions for UrlScan.dll, UrlScan.ini, and the log file. When installing UrlScan 2.5 on IIS 6.0, the installer sets additional permissions on the same files to allow UrlScan 2.5 to work with IIS 6.0 worker process isolation mode. Table 2 lists the IIS permissions that are set when UrlScan 2.5 is installed.

If a version of UrlScan is detected on the computer, the installation will be considered an upgrade. In the upgrade scenario, the changes that the installer makes will be the same as for a clean installation unless you have configured a custom log directory. If you have defined a different location for the UrlScan logs, then the new logs directory will not be created.